[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[postfix-jp: 4350] Re: SMTP oer SSL/TLSãããããã



ååãçãããã

systemctl status postfixãæããããèåãåããpermissionãèããããèããããããããããã
> ---------------------------------------------------------------------------
> warning: cannot get RSA certificate from file /etc/pki/dovecot/certs/dovecot.pem: disabling TLS support

ãããèèãããããããdovecotãTLSãæååããããããããããããããï
dovecotãèåãäæãããããããããããããã
Â/etc/dovecot/conf.d/10-ssl.confã/etc/dovecot.conf(OSããããéããã)ãæåã
ããããããèããããããããã

ää
Â/etc/dovecot/conf.d/10-ssl.conf
2016-03-28 8:10 GMT+09:00 æè <watanove@xxxxxxxxxxx>:

æèããã

localhostããããããããããSMTPããããããããã
SMTP over SSL/TLSããããããã

äãæãããåãããããããããèåãããæãããã
ãããããæãããçãããææããããããããï

ãããããéããããã

OS
---------------------------------------------------------------------------
CentOS Linux release 7.2.1511 (Core)

Postfix
---------------------------------------------------------------------------
Version  Â: 2.10.1
Release  Â: 6.el7

Dovecot
---------------------------------------------------------------------------
Version  Â: 2.2.10
Release  Â: 5.el7

Openssl
---------------------------------------------------------------------------
Version  Â: 1.0.1e
Release  Â: 51.el7_2.4


postconf -n
---------------------------------------------------------------------------
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mua_client_restrictions = permit_sasl_authenticated,reject
mua_helo_restrictions = permit_sasl_authenticated,reject
mua_sender_restrictions = permit_sasl_authenticated,reject
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = yotuba-hd.jp
myhostname = mail.yotuba-hd.jp
mynetworks = 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
relay_domains = $mydestination
relayhost =
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = $myhostname Mail System
smtpd_client_restrictions = permit_mynetworks,reject_unknown_client_hostname,permit
smtpd_etrn_restrictions = permit_mynetworks,reject
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
unknown_local_recipient_reject_code = 550


master.cf
---------------------------------------------------------------------------
smtp   inet n   Â-   Ân   Â-   Â-   Âsmtpd
#smtp   inet n   Â-   Ân   Â-   Â1 postscreen
#smtpd  Âpass -   Â-   Ân   Â-   Â-   Âsmtpd
#dnsblog Âunix -   Â-   Ân   Â-   Â0   Âdnsblog
#tlsproxy unix -   Â-   Ân   Â-   Â0   Âtlsproxy
submission inet n   Â-   Ân   Â-   Â-   Âsmtpd
 Â-o syslog_name=postfix/submission
 Â-o smtpd_tls_security_level=encrypt
 Â-o smtpd_sasl_auth_enable=yes
 Â-o smtpd_reject_unlisted_recipient=no
 Â-o smtpd_client_restrictions=$mua_client_restrictions
 Â-o smtpd_helo_restrictions=$mua_helo_restrictions
 Â-o smtpd_sender_restrictions=$mua_sender_restrictions
 Â-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#Â -o milter_macro_daemon_name=ORIGINATING
smtps  Âinet n   Â-   Ân   Â-   Â-   Âsmtpd
 Â-o syslog_name=postfix/smtps
 Â-o smtpd_tls_wrappermode=yes
 Â-o smtpd_sasl_auth_enable=yes
 Â-o smtpd_reject_unlisted_recipient=no
 Â-o smtpd_client_restrictions=$mua_client_restrictions
 Â-o smtpd_helo_restrictions=$mua_helo_restrictions
 Â-o smtpd_sender_restrictions=$mua_sender_restrictions
 Â-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#Â -o milter_macro_daemon_name=ORIGINATING



POP3 over SSL/TLS 995ãopensslãããããçèããããããããããã

openssl s_client -connect localhost:995
---------------------------------------------------------------------------
CONNECTED(00000003)
depth=0 C = JP, (ääççï
verify error:num=18:self signed certificate
verify return:1
depth=0 C = JP, (ääççï
verify return:1
---
Certificate chain
 0 s:/C=JP/(ääççï
  i:/C=JP/(ääççï
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICyTCCAjKgAwIBAgIJAMWIIUhI1TJcMA0GCSqGSIb3DQEBBQUAMIGaMQswCQYD
(ççããããï
UKoaxaP7E0i3h27dDqzF3nFUKAxZne3bEbDSijkOLyNiWlhjw+iQYmvVJgwQ
-----END CERTIFICATE-----
subject=/C=JP/(ääççï
issuer=/C=JP/(ääççï
---
No client certificate CA names sent
Server Temp Key: ECDH, secp384r1, 384 bits
---
SSL handshake has read 1280 bytes and written 405 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
  ÂProtocol : TLSv1.2
  ÂCipher  : ECDHE-RSA-AES256-GCM-SHA384
  ÂSession-ID: 3789EA55C54C91AD4CFCFB08F935E9E1F4DEEB6D4CBDC1AD6A3B3679AE020C5A
  ÂSession-ID-ctx:
  ÂMaster-Key: E583E7932E7F6974402D67DD336467E863A2A7A4146E38C763C6DA9971737D6585871604459186FF1D8B31B141532D08
  ÂKey-Arg Â: None
  ÂKrb5 Principal: None
  ÂPSK identity: None
  ÂPSK identity hint: None
  ÂTLS session ticket lifetime hint: 300 (seconds)
  ÂTLS session ticket:
  Â0000 - 53 8c 09 60 ce 13 11 73-0d 9b 9d 2d 15 67 e8 06 S..`...s...-.g..
ãã(ççããããï

  ÂStart Time: 1459117361
  ÂTimeout Â: 300 (sec)
  ÂVerify return code: 18 (self signed certificate)
---
+OK Dovecot ready.


ããããããåäãäèãããããã


ããããsmtp over ssl/tlsãæçããããããã
æããããååãèããããopensslãããããçããããããããã
openssl s_client -connect localhost:465
---------------------------------------------------------------------------
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 247 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE


systemctl status postfixãæããããèåãåããpermissionãèããããèããããããããããã
---------------------------------------------------------------------------
warning: cannot get RSA certificate from file /etc/pki/dovecot/certs/dovecot.pem: disabling TLS support
warning: TLS library problem: 30954:error:0200100D:system library:fopen:Permission denied:bss_file.c:398:fopen('/etc/pki/dovecot/certs/dovecot.pem','r'):
warning: TLS library problem: 30954:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
warning: TLS library problem: 30954:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:ssl_rsa.c:722:
connect from localhost[127.0.0.1]
warning: Wrapper-mode request dropped from localhost[127.0.0.1] for service smtps. TLS context initialization failed. For details see earlier warnings in your logs.
disconnect from localhost[127.0.0.1]


ããããããã777ãããããããã(777ããããããããçãããããããï
ls -la /etc/pki/dovecot/certs/dovecot.pem
---------------------------------------------------------------------------
-rwxrwxrwx. 1 root root 1025 Mar 28 07:12 /etc/pki/dovecot/certs/dovecot.pem

äåãããã
ls -la /etc/pki/dovecot/private/dovecot.pem
---------------------------------------------------------------------------
-rwxrwxrwx. 1 root root 916 Mar 28 07:12 /etc/pki/dovecot/private/dovecot.pem


ããããããããããããåãããããããã
ããããããæãããçãããããããããï

äèãæåããããåãããã

ãããããéããããã








--
/////ïïïïïï///////////////////////////////////////////////
ãæåäçããããããããããããããããããããã
ããäèåçåãæè äé
ãã144-0043ãæäé åçå ççïïïïïï
ãTel:03-5705-2595
ãFax:03-6423-9505 ïïïçåãåãããããï
ãmobile-phone:080-3430-2595 070-5582-6540
 ÂEmail:watanove@xxxxxxxxxxx
///////////////////////////////////////////////ïïïïïï/////

_______________________________________________
Postfix-jp-list mailing list
Postfix-jp-list@xxxxxxxxxxxxx
http://lists.osdn.me/mailman/listinfo/postfix-jp-list

_______________________________________________
Postfix-jp-list mailing list
Postfix-jp-list@xxxxxxxxxxxxx
http://lists.osdn.me/mailman/listinfo/postfix-jp-list

References
[postfix-jp: 4349] SMTP oer SSL/TLSãããããã, æè

[検索ページ] [Postfix-JP ML Home]